Custom Auth Flow - Retry Challenge?

Hello. We are developing a Cognito CUSTOM_AUTH flow with CUSTOM_CHALLENGE via the 3 triggers (I.e. define, create & verify auth challenge). We only have a single challenge, which is a CUSTOM_CHALLENGE that sends a verification code via a 3rd party SMS provider (we've been having issues with AWS sending SMS to T-mobile phones).

Anyhow, our Android app uses the Cognito SDK to sign up & in, etc. Everything is working fine if the user enters the correct code during the sign-in auth challenge. However, if the user enters an invalid code first, then retries with the correct code, we get: NotAuthorizedException, "Invalid session for the user." This only happens on the retry (RespondToAuthChallenge).

If they resend a new code and then enter it correctly, it also works. But no matter what, if they munge the first attempt, then the second attempt returns the error above. I never see any logs of the second attempt in AWS either. Both in the Lambda trigger logs as well as in CloudTrail Cognito logs. It's like some sort of security gate is preventing Cognito from even receiving the second RespondToAuthChallenge request.

I'm having a hard time determining if the issue is client or server-side. I found a similar post. Their steps to reproduce and error is exactly the same as ours but our scenario is different: https://github.com/aws-samples/amazon-cognito-passwordless-email-auth/issues/17

Running out of ideas, any help would be greatly appreciated. Thanks!